Security: Is technology saint or sinner?

Data pragmatism

SANS - Survey on application security programs

If we continue in this way, we'll see more headlines where a child dies owing to information from one group not being available to another, to people who should be being tracked being lost due to insufficient data being available, to the continued billions of pounds being wasted in fraudulent claiming of benefits, of insurance claims, the booming black market economy and so on.

ID theft will continue to rise without any means of being able to prove irrevocably who we are, and that ID can be taken from us.

And for anyone who has had full ID theft occasioned against them, then all of a sudden, you really wish that you'd backed the implementation of ID cards, at least in a correct way.

(Please note that I am not backing the government's half-hearted, half-baked way of providing government-backed false IDs.)

To my mind, it's technology which can help us by ensuring sophisticated controls over access to data. We can design, say, a DNA database that is just that: a genetic fingerprint that is held against an identifier.

We could do the same for iris recognition and/or fingerprinting. Three different databases, none of which actually provides any information against named people.

To get onto these databases, you have to go through three different groups. Why? So that any chance of using insiders to create false IDs is minimised.

Any check against these databases would use full auditing. Any access to any field within the database is time stamped and stamped with an access code showing which user or body nominally accessed that field.

Security profiles then begin to take over; having verified that the DNA, iris and/or fingerprint are in each of the databases, what else do we need to do?

Do we need to be able to carry out another match to ensure that this person is who they are saying they are? Maybe a PIN or something similar? OK, a fourth database, maybe within the private sector.

Again, all that this has is the PIN against a unique identifier. We now have up to four pieces of unique data against four unique identifiers. In comes database number five: a correlation database of unique identifiers.

If all of these unique identifiers correlate as being from the same person, we can pretty much assume that we have a match. And at no stage have we had to go to a database that has any names or other personally identifiable information held within it.

However, if this is the police, ambulance or fire brigade, they may then need to go to a different database where such personal information is held.

Again, all fully audited against access type, named ID and, where necessary, correlated against biometric information of the accessing individual.

For the highest levels of information being held on us, we need the same sort of approach that we have for nuclear warheads being set off: a dual key system.

No single person should be able to access every last item about another without some balance being available.

For me, we have to look at data pragmatism. I want to be able to walk the streets without too much fear of aggravated assault against me, I want to be able to see my insurance premiums go down because thieves find it harder to get away with misdemeanours, I'd like to see my tax go down due to fraud being eradicated.

This won't happen unless we make the most of technology, but also use appropriate technology as the controls against inappropriate usage.

Copyright © 2006, IT-Analysis.com

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story


Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.